CVE-2023-52355
Published: 25 January 2024
An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.
Notes
Author | Note |
---|---|
Priority reason: The fix for this issue is in the documentation for applications to ensure they properly limit memory usage. |
|
sbeattie | texmaker added an embedded copy of libtiff in bionic |
rodrigo-zaiden | fix in documentation only, marking all Ubuntu releases as ignored, as the fix in Documentation won't be of any usage in backports. if that is not the case, I'll be happy to move it back to an active status. |
Priority
Status
Package | Release | Status |
---|---|---|
gdal Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(uses system tiff)
|
focal |
Not vulnerable
(uses system tiff)
|
|
jammy |
Not vulnerable
(uses system tiff)
|
|
mantic |
Not vulnerable
(uses system tiff)
|
|
trusty |
Ignored
(documentation only)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(documentation only)
|
|
neuron Launchpad, Ubuntu, Debian |
bionic |
Ignored
(documentation only)
|
focal |
Ignored
(documentation only)
|
|
jammy |
Ignored
(documentation only)
|
|
mantic |
Not vulnerable
(dropped embedded libtiff)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
qtwebengine-opensource-src Launchpad, Ubuntu, Debian |
bionic |
Ignored
(documentation only)
|
focal |
Ignored
(documentation only)
|
|
jammy |
Ignored
(documentation only)
|
|
mantic |
Ignored
(documentation only)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
texmaker Launchpad, Ubuntu, Debian |
bionic |
Ignored
(documentation only)
|
focal |
Ignored
(documentation only)
|
|
jammy |
Ignored
(documentation only)
|
|
mantic |
Ignored
(documentation only)
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(documentation only)
|
|
tiff Launchpad, Ubuntu, Debian |
bionic |
Ignored
(documentation only)
|
focal |
Ignored
(documentation only)
|
|
jammy |
Ignored
(documentation only)
|
|
mantic |
Ignored
(documentation only)
|
|
trusty |
Ignored
(documentation only)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(documentation only)
|
|
Patches: upstream: https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4 upstream: https://gitlab.com/libtiff/libtiff/-/commit/16ab4a205cfc938c32686e8d697d048fabf97ed4 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |